+0.00(+0.07%)

‘Password’ Replaced by ‘123456’ as Most Common Idiotic Password

In what can only be described as an improvement in the very feeblest sense of the word, Internet users in 2013 adopted “123456” as their preferred password, and let “password” fall to No. 2.

Splash Data, a Los Gatos, Calif.-based company that produces user-friendly security apps, keeps track of data breaches each year and monitors the resulting exposed passwords. Its annual list of “Worst Passwords” is supposed to dissuade users from picking easy-to-guess passwords, which are vulnerable to brute-force attacks as well as guesswork.

The lower-case “password” is, indeed, a terrible password: It contains no numbers, no capital letters and no unusual symbols, and other humans can guess it easily. “123456” is not much of an improvement, for similar reasons. Other popular, if dismal, choices include “12345678,” “qwerty,” “abc123” and “111111.”

A few new entries did show up this year, such as “adobe123” and “photoshop.” Splash Data theorizes that this may be due to the highly publicized Adobe data breach, which spilled login information for more than 130 million Adobe accounts.

Other new entries, such as “princess,” are harder to explain. The practice of using common words, though, is old hat: “monkey,” “shadow” and “sunshine” all appeared in the top 25, as did “iloveyou” and “letmein.”

No password is completely immune from attackers, but Splash Data’s list helps to illustrate just how ripe users can make their accounts for exploitation. Lowercase passwords consisting of complete words are easy to guess; passwords made up of digits are even easier, as there are fewer digits than letters. Appending a “1” or a “123” to a common word also does not do much to secure your information.

The best passwords are more than 10 characters long, use uncommon letter-and-number combinations and employ bits of punctuation to further confuse password crackers. Every Internet user should use a different password for each online service employed; otherwise, a hacker who possesses one password can go on to compromise every Internet profile protected by that password.